Information Assurance Awareness Training
NIST Special Publication 800-50, is a regulation dedicated to IA Awareness Training
NIST SP 800-5, Building an Information Technology Security Awareness & Training Program
The 800-50 includes guidance on development and sustainment of an awareness & training IT Security (aka information assurance training) program for all users, employees and supervisors within an organization. Having a training program is mandated by the Federal Information Security Act of 2002.
IA Awareness Training – Roles & Responsibilities
Agency heads – must ensure that high priority is given to effective security awareness and training for employees. Appoint a CIO
CIO – Establish overall strategy, funding, tracking and report is in place for the IT security awareness and training program
IT Security Program Manager – tactical deployment, development and maintenance of the IT security & awareness program.
Managers – responsible for complying with IT security awareness program. Work with CIO and IT Security Program Managers to share responsibility. Ensure all users are trained to fulfill their security roles before access is giving. Promote professional development and certification of the IT staff.
Users – largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors.
800-50 calls learning a “continuum”. The continuum of learning starts awareness and builds into education.
Awareness – awareness is not training. Awareness focuses on security concerns to ensure users are mindful of basic rules and issues in a given environment.
Training – is a formal focused method to develop a skill for job performance.
Training strives to produce relevant and needed security skills and competencies – 800-50
Education – combines multidisciplinary areas into a common body of knowledge.